The Elliptic Curve secp256k1

Learn about the special elliptic curve secp256k1 and how it meets security requirements in this lesson.


A curve of special interest is the Koblitz curve secp256k1 that is used in the Bitcoin ECDSA signature scheme. secp256k1 is a Certicom curve that‘s recommended by the Standards for Efficient Cryptography Group (SECG)Certicom Research. Standards for efficient cryptography, SEC 2: Recommended elliptic curve domain parameters, January 2010. Version 2.0.. The curve is defined over a prime field Fp\mathbb{F}_{p}, where


is a generalized Mersenne prime number. The curve equation is given in the short Weierstrass form y2=x3+Ax+By^{2}=x^{3}+A x+B, where A=0A=0 and B=7B=7; therefore, the curve has jj-invariant j=0j=0 by this corollary :Elliptic_curves_corollary . The curve has 256-bit prime order

#E(Fp)=225621291\# E\left(\mathbb{F}_{p}\right)=2^{256}-2^{129}-1

thus, E(Fp)E\left(\mathbb{F}_{p}\right) is cyclic by this corollary :cyclicGrp_Corollary_3 , and hence every point except O\mathcal{O} has order nn and thus is a generator of E(Fp)E\left(\mathbb{F}_{p}\right). However, the standard explicitly defines a base point PP by

P=0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798\begin{aligned} P=& 0279 B E 667 E F 9 D C B B A C 55 A 06295 C E 870 B 07 \\ & 029 B F C D B 2 D C E 28 D 959 F 2815 B 16 F 81798 \end{aligned}

in the compressed form, having cofactor h=01h=01. According to Bjoernsen (2015)Kristian Bjoernsen. Koblitz Curves and its Practical Uses in Bitcoin Security. 2015. Available online at Bjoernsen.pdf., there’s a lack of transparency regarding the choice of this specific base point since the SECG chair Dan Brown couldn’t give a sufficient explanation about the choice of the base point.

Get hands-on with 1200+ tech skills courses.